1 Topic by tonyd

  • tonyd
  • Member
  • Offline
  • Registered: 2012-09-22
  • Posts: 34

Topic: Fail2Ban ignoreip Still Firewalling Whitelist

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
====

Hello,
I'm having a problem with Fail2Ban adding drop rules to the iptables chain despite having specific IP's and IP Blocks listed on the ignoreips lines in the jail.conf, jail.local.  I have even restarted iptables after stopping the fail2ban service.  The whitelisted IP's still end up showing up as a DROP rule.  Could someone please assist me with what I'm missing?  I have obfuscated the domains and first two octets for security.

Thank you,

Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    DROP       all  --  er1.swift.*****.net  anywhere            
2    DROP       all  --  x.x.1.18  anywhere            
3    fail2ban-dovecot  tcp  --  anywhere             anywhere             multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
4    fail2ban-roundcube  tcp  --  anywhere             anywhere             multiport dports http,https,smtp,submission,pop3,pop3s,imap2,imaps,sieve
5    fail2ban-ssh  tcp  --  anywhere             anywhere             tcp dpt:ssh
6    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
7    ACCEPT     all  --  anywhere             anywhere            
8    ACCEPT     all  --  er1.swift.*****.net  anywhere            
9    ACCEPT     udp  --  10.0.0.25            anywhere             udp dpt:snmp
10   ACCEPT     udp  --  noc2.*****.net   anywhere             udp dpt:snmp
11   ACCEPT     udp  --  vpn.*****.net    anywhere             udp dpt:snmp
12   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
13   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
14   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
15   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
16   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:589 state NEW,ESTABLISHED
17   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
18   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
19   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
20   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
21   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
22   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:ssh
23   ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
24   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:mysql
25   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:20133
26   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http limit: avg 25/min burst 100

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    DROP       all  --  er1.swift.*****.net  anywhere            
2    DROP       all  --  x.x.2.18  anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp spt:589 state ESTABLISHED

Chain fail2ban-dovecot (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  anywhere             anywhere            

Chain fail2ban-postfix (0 references)
num  target     prot opt source               destination         
1    RETURN     all  --  anywhere             anywhere            

Chain fail2ban-roundcube (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  anywhere             anywhere

# Fail2Ban not running

ps aux | grep fail2ban
root     17297  0.0  0.0   9384   924 pts/0    R+   09:27   0:00 grep --color=auto fail2ban

# iptables active fw rules

Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    DROP       all  --  x.x.1.18          anywhere            
2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     all  --  er1.swift.*****.net  anywhere            
5    ACCEPT     udp  --  10.0.0.25            anywhere             udp dpt:snmp
6    ACCEPT     udp  --  noc2.*****.net   anywhere             udp dpt:snmp
7    ACCEPT     udp  --  vpn.*****.net    anywhere             udp dpt:snmp
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
9    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
10   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
11   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssmtp
12   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:589 state NEW,ESTABLISHED
13   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
14   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
15   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
16   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
17   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
18   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:ssh
19   ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
20   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:mysql
21   ACCEPT     tcp  --  vpn.*****.net    anywhere             tcp dpt:20133
22   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http limit: avg 25/min burst 100

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    DROP       all  --  x.x.1.18  anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp spt:589 state ESTABLISHED

# /etc/fail2ban/jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 x.x.2.153 x.x.2.25 smtp663.redcondor.net smtp664.redcondor.net spam1.****.net x.x.25.0/24 x.x.26.0/24 x.x.27.0/24 x.x.28.0/24 12.44.144.0/24 x.x.1.30/32 cv.*****.com x.x.1.18 er1.swift.*****.net x.x.1.26 x.x.1.33 x.x.1.34 12.38.236.2
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = noc@*****.net

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = false
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

[dropbear]

enabled = false
port     = ssh
filter   = sshd
logpath  = /var/log/dropbear
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter   = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled = false
filter    = xinetd-fail
port      = all
banaction = iptables-multiport-log
logpath   = /var/log/daemon.log
maxretry  = 2


[ssh-ddos]

enabled = false
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = false
port      = http,https
filter    = apache-auth
logpath   = /var/log/apache*/*error.log
maxretry  = 6

[apache-noscript]

enabled = false
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2

#
# FTP servers
#

[vsftpd]

enabled = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd
logpath  = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[pure-ftpd]

enabled = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = pure-ftpd
logpath  = /var/log/auth.log
maxretry = 6


[wuftpd]

enabled = false
port     = ftp,ftp-data,ftps,ftps-data
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled = false
port     = smtp,ssmtp
filter   = postfix
logpath  = /var/log/mail.log


[couriersmtp]

enabled = false
port     = smtp,ssmtp
filter   = couriersmtp
logpath  = /var/log/mail.log

#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = courierlogin
logpath  = /var/log/mail.log

[sasl]

enabled = false
port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter   = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = /var/log/mail.log

[dovecot]

enabled = false
port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
#     channel security_file {
#         file "/var/log/named/security.log" versions 3 size 30m;
#         severity dynamic;
#         print-time yes;
#     };
#     category security {
#         security_file;
#     };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
#   Since UDP is connection-less protocol, spoofing of IP and imitation
#   of illegal actions is way too simple.  Thus enabling of this filter
#   might provide an easy way for implementing a DoS against a chosen
#   victim. See
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
#   Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled  = false
#port     = domain,953
#protocol = udp
#filter   = named-refused
#logpath  = /var/log/named/security.log

[named-refused-tcp]

enabled = false
port     = domain,953
protocol = tcp
filter   = named-refused
logpath  = /var/log/named/security.log

# /etc/fail2ban/jail.local

#
# File generated by iRedMail (2012.09.26.17.23.08):
#
# Version:  0.8.2
# Project:  http://www.iredmail.org/
#
# Community: http://www.iredmail.org/forum/
#


# Please refer to /etc/fail2ban/jail.conf for more examples.

[ssh-iredmail]
enabled     = true
filter      = sshd
action      = iptables[name=ssh, port="ssh", protocol=tcp]
               sendmail-whois[name=ssh, dest=tonyd@*****.net, sender=fail2ban@mail3.*****.net]
logpath     = /var/log/auth.log
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[roundcube-iredmail]
enabled     = true
filter      = roundcube.iredmail
action      = iptables-multiport[name=roundcube, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
        sendmail-whois[name=roundcube, dest=tonyd@*****.net, sender=fail2ban@mail3.*****.net]
logpath     = /var/log/mail.log
findtime    = 3600
maxretry    = 5
bantime     = 3600
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 x.x.2.153/32 x.x.2.25/32 x.x.25.0/24 x.x.26.0/24 x.x.27.0/24 x.x.28.0/24 12.44.144.0/24 x.x.1.30/32 cv.*****.com x.x.1.18/32 er1.swift.*****.net x.x.1.34/32 12.38.236.2/32

[dovecot-iredmail]
enabled     = true
filter      = dovecot.iredmail
action      = iptables-multiport[name=dovecot, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
        sendmail-whois[name=dovecot, dest=tonyd@*****.net, sender=fail2ban@mail3.*****.net]
logpath     = /var/log/dovecot.log
maxretry    = 5
findtime    = 300
bantime     = 3600
#ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 x.x.2.153 x.x.2.25
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 x.x.2.153/32 x.x.2.25/32 smtp663.redcondor.net smtp664.redcondor.net spam1.*****.net x.x.25.0/24 x.x.26.0/24 x.x.27.0/24 x.x.28.0/24 12.44.144.0/24 x.x.1.30/32 cv.*****.com x.x.1.18/32 er1.swift.*****.net x.x.1.34/32 12.38.236.2/32

[postfix-iredmail]
enabled     = true
filter      = postfix.iredmail
action      = iptables-multiport[name=postfix, port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
        sendmail-whois[name=postfix, dest=tonyd@*****.net, sender=fail2ban@mail3.*****.net]
#           sendmail[name=Postfix, dest=you@mail.com]
logpath     = /var/log/mail.log
bantime     = 3600
maxretry    = 5
ignoreip    = 127.0.0.1 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 x.x.2.153/32 x.x.2.25/32 smtp663.redcondor.net smtp664.redcondor.net spam1.*****.net x.x.25.0/24 x.x.26.0/24 x.x.27.0/24 x.x.28.0/24 12.44.144.0/24 x.x.1.30/32 cv.*****.com x.x.1.18/32 er1.swift.*****.net x.x.1.34/32 12.38.236.2/32

# IPTABLEs Default Rules

#
# Sample iptables rules. It should be localted at:
#   /etc/sysconfig/iptables
#
# Shipped within iRedMail project:
#   * http://iRedMail.googlecode.com/
#

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# Whitelist er1.swift.****.net
-A INPUT -s x.x.1.30 -j ACCEPT

# SNMP
-A INPUT -s 10.0.0.25 -p udp --dport 161 -j ACCEPT
-A INPUT -s x.x.3.11 -p udp --dport 161 -j ACCEPT
-A INPUT -s x.x.2.153 -p udp --dport 161 -j ACCEPT

# http, https
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# smtp (25,465,589) Port forward 589 to 25
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 589 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 589 -m state --state ESTABLISHED -j ACCEPT
-A PREROUTING -t nat -p tcp --dport 589 -j REDIRECT --to-port 25

# ssmtp (587)
-A INPUT -p tcp --dport 587 -j ACCEPT

# pop3, pop3s
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT

# imap, imaps
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT

# ssh
-A INPUT -s x.x.2.153 -p tcp --dport 22 -j ACCEPT

# Allow PING from remote hosts.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# ejabberd
#-A INPUT -p tcp -m multiport --dport 5222,5223,5280 -j ACCEPT

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT

# ftp.
#-A INPUT -p tcp -m multiport --dport 21,20 -j ACCEPT

# Allow connections from x.x.2.153 to MySQL and Plat Prov Listener
-A INPUT -s x.x.2.153 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s x.x.2.153 -p tcp -m tcp --dport 20133 -j ACCEPT

# DOS Protection
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

COMMIT

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by tonyd

  • tonyd
  • Member
  • Offline
  • Registered: 2012-09-22
  • Posts: 34

Re: Fail2Ban ignoreip Still Firewalling Whitelist

Hmmm, it would seem that the source of the problem (still not explaining who is adding the drop rule with fail2ban is not running) is to do with SASL LOGIN auth failure.

153727:May 14 10:53:28 mail3 postfix/smtpd[25883]: warning: unknown[x.x.1.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
153816:May 14 10:54:40 mail3 postfix/smtpd[24618]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
153870:May 14 10:55:22 mail3 postfix/smtpd[23090]: warning: 84.sub-174-254-24.myvzw.com[174.254.24.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
155937:May 14 11:10:22 mail3 postfix/smtpd[25883]: warning: 84.sub-174-254-24.myvzw.com[174.254.24.84]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156281:May 14 11:12:45 mail3 postfix/smtpd[1246]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156554:May 14 11:14:01 mail3 postfix/smtpd[25884]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156641:May 14 11:15:08 mail3 postfix/smtpd[25884]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156760:May 14 11:16:19 mail3 postfix/smtpd[10536]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156927:May 14 11:16:58 mail3 postfix/smtpd[10536]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
156959:May 14 11:17:20 mail3 postfix/smtpd[1596]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
157060:May 14 11:18:29 mail3 postfix/smtpd[10536]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
157165:May 14 11:19:41 mail3 postfix/smtpd[29710]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
157300:May 14 11:20:52 mail3 postfix/smtpd[1246]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
157403:May 14 11:22:03 mail3 postfix/smtpd[1246]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
157455:May 14 11:22:14 mail3 postfix/smtpd[4524]: warning: er1.swift.*****.net[x.x.1.30]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

3 Reply by tonyd

  • tonyd
  • Member
  • Offline
  • Registered: 2012-09-22
  • Posts: 34

Re: Fail2Ban ignoreip Still Firewalling Whitelist

In my case, I have a network in which many hosts are NAT'd behind a public IP.  That IP keeps getting banned.  I need to whitelist this SASL LOGIN failure.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Fail2Ban ignoreip Still Firewalling Whitelist

You jail.local looks fine. please make sure you have this client (either an IP address, a CIDR mask or a DNS host) listed in ignoreip.

5 Reply by tonyd

  • tonyd
  • Member
  • Offline
  • Registered: 2012-09-22
  • Posts: 34

Re: Fail2Ban ignoreip Still Firewalling Whitelist

Hi Zhang,

I do, that's the problem.  Despite having that IP listed as part of the ignoreip, it still gets banned.